Amazon EC2 and Amazon VPC Hands-On Workshop

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Hands-on Workshop
Amazon EC2 and Amazon VPC
Anson Shen – Solutions Architect
Sebastien Linsolas – Solutions Architect
Herman Mak – Associate Solutions Architect

AWS Overview

Run applications –
reliably and securely
Provision network, compute,
storage and database services in the
cloud with the click of a button
Everything you’d want to do
in a traditional datacenter
What is Amazon Web Services (AWS)?

AWS Products

18 Regions – 55 Availability Zones – 136 Edge PoPs
AWS Global Infrastructure

AWS Global Infrastructure
Regions
Geographic locations
Consists of two or more Availability Zones (AZs)
Availability Zone (AZ)
One or more data centers
Isolated from failures in other Availability Zones

AZ – Availability Zone
Single
digit
ms
Network
multiple tier-1 transit providers
Power
isolated electrical grids, UPS, onsite backup generator
Geo
isolated fault lines flood plains
Network
multiple tier-1 transit providers
Power
isolated electrical grids, UPS, onsite backup generator
Geo
isolated fault lines flood plains

Edge Locations
136 AWS Edge Locations:
Local points-of-presence commonly supporting AWS
services including:
• Amazon Route 53
• Amazon CloudFront

Amazon Elastic Compute
Cloud (EC2)

Amazon Elastic Compute Cloud (EC2)
Resizable compute capacity
Complete control of your computing resources
Reduces the time required to obtain and boot new
server instances to minutesAmazon
EC2

Amazon EC2 Facts
Scale capacity as your computing requirements change
Pay only for capacity that you actually use
Choose Linux or Windows
Deploy across AWS Regions and Availability Zones for reliability

Launching an Amazon EC2 Instance via the Web
Console
1. Determine the AWS Region in which you want to launch
the Amazon EC2 instance.
2. Launch an Amazon EC2 instance from a pre-configured
Amazon Machine Image (AMI).
3. Choose an instance type based on CPU, memory,
storage, and network requirements.
4. Configure network, IP address, security groups, storage
volume, tags, and key pair.

Amazon Machine Image (AMI) Details
An AMI includes the following:
A template for the root volume for the instance (for
example, an operating system, an application server, and
applications).
Launch permissions that control which AWS accounts can
use the AMI to launch instances.
A block device mapping that specifies the volumes to
attach to the instance when it's launched.

Amazon EC2 Instances
OS, Applications,
& Configuration
AMI
Running or
Stopped VM
Instances
AZ
VPC
Region
EBS
S3
EBS
Snapshots
S3 Buckets
EBS EBS EBS EBS EBS
AZ
Instances Instances

Amazon EBS vs. Amazon EC2 Instance Store
Amazon EBS
• Data stored on an Amazon EBS volume can persist
independently of the life of the instance.
• Storage is persistent.
Amazon EC2 Instance Store
• Data stored on a local instance store persists only as long as
the instance is alive.
• Storage is ephemeral.

AWS Marketplace – IT Software Optimized for the
Cloud
An online store to discover, purchase,
and deploy IT software on top of the
AWS infrastructure.
• Catalog of 2300+ IT software solutions
• Including Paid, BYOL, Open Source,
SaaS, & free to try options
• Pre-configured to operate on AWS
• Software checked by AWS for security and
operability
• Deploys to AWS environment in minutes
• Flexible, usage-based billing models
• Software charges billed to AWS account
Includes AWS Test Drive

Choosing the Right Amazon EC2 Instance
EC2 instance types are optimized for different use cases and come in
multiple sizes. This allows you to optimally scale resources to your
workload requirements.
AWS uses Intel® Xeon® processors for EC2 instances, providing
customers with high performance and value.
Consider the following when choosing your instances: Core count,
memory size, storage size and type, network performance, and CPU
technologies.
Hurry Up and Go Idle - A larger compute instance can save you time
and money, therefore paying more per hour for a shorter amount of
time can be less expensive.

Current Generation Instances
Instance Family Some Use Cases
General purpose (t2, m4, m3)
• Low-traffic websites and web applications
• Small databases and mid-size databases
Compute optimized (c4, c3)
• High performance front-end fleets
• Video-encoding
Memory optimized (x1e, x1, r4)
• High performance databases
• Distributed memory caches
Storage optimized (i3, d2, h1)
• Data warehousing
• Log or data-processing applications
GPU instances (p3, g3)
• 3D application streaming
• Machine learning

C4.xlarge (Compute-Optimized)
FamilyGeneration
TypeFamily

M2
2nd Generation
Compute
M4
4th Generation
Compute
Upgrade

Instance Metadata & User Data
Instance Metadata:
Is data about your instance.
Can be used to configure or manage a running
instance.
Instance User Data:
Can be passed to the instance at launch.
Can be used to perform common automated
configuration tasks.
Runs scripts after the instance starts.

Retrieving Instance Metadata
To view all categories of instance
metadata from within a running
instance, use the following URI:
http://169.254.169.254/latest/meta-
data/
On a Linux instance, you can use:
• $ curl http://169.254.169.254/latest/meta-data/
• $ GET http://169.254.169.254/latest/meta-data/
All metadata is returned as text
(content type text/plain).

Adding User Data
You can specify user data when launching an
instance.
User data can be:
• Linux script – executed by cloud-init
• Windows batch or PowerShell scripts – executed by
EC2Config service
User data scripts run once per instance-id by default.

User Data Example Linux
User data shell scripts must start with the #!
characters and the path to the interpreter you
want to read the script.
Install Apache web server
Enable the web server
Start the web server
#!/bin/sh
yum -y install httpd
chkconfig httpd on
/etc/init.d/httpd start

User Data Example Windows
<powershell>
Import-Module ServerManager
Install-WindowsFeature web-server, web-webserver
Install-WindowsFeature web-mgmt-tools
</powershell>
Import the Server Manager module
for Windows PowerShell.
Install IIS
Install Web Management Tools

Amazon EC2 Purchasing Options
On-Demand
Instances
Pay by the hour.
Reserved
Instances
Purchase at
significant
discount.
Instances are
always available.
1-year to 3-year
terms.
Scheduled
Instances
Purchase a 1-
year RI for a
recurring period of
time.
Spot Instances
Highest bidder
uses instance at a
significant
discount.
Spot blocks
supported.
Dedicated
Hosts
Physical host is
fully dedicated to
run your
instances. Bring
your per-socket,
per-core, or per-
VM software
licenses to reduce
cost.

Amazon Simple Storage Service (S3)
Amazon S3
Storage for the Internet
Natively online, HTTP/HTTPS, REST API access
Store and retrieve any amount of data, any time,
from anywhere on the web
Highly scalable, reliable, fast and durable
Designed to deliver 99.999999999% Durability

Common Use Scenarios
Storage and Backup
Application File Hosting
Media Hosting
Software Delivery
Log files
Store AMIs and Snapshots

Amazon S3 Concepts
Amazon S3 stores data as objects
within buckets
An object is composed of a file and
optionally any metadata that describes
that file
You can have up to 100 buckets in each
account
You can control access to the bucket
and its objects
Amazon
S3
Bucket
with
Objects
Bucket
Object

Amazon S3 Security
You can control access to buckets and objects with:
• Identity and Access Management (IAM) policies
• Access Control Lists (ACLs)
• Bucket policies
You can upload or download data to Amazon S3 via SSL
encrypted endpoints.
You can encrypt data at rest using Amazon S3 SSE
You can encrypt data at client side using AWS SDKs.

Amazon S3 + Amazon Glacier
S3 Lifecycle policies allow you to delete or move
objects based on age and set rules per S3 bucket.
bucket with
objects
30 Days
Glacier
archive
365 Days

Amazon S3 Pricing
Pay only for what you use
No minimum fee
Prices based on location of your Amazon S3 bucket
Estimate monthly bill using the AWS Simple Monthly Calculator
Pricing is available as:
• Storage Pricing
• Request Pricing
• Data Transfer Pricing: data transferred out of Amazon S3

Amazon Elastic Block Store (EBS)
Persistent block level storage volumes offering
consistent and low-latency performance
• Automatically replicated within its Availability
Zone
• Independent lifecycle
• Attach to instance one at a time
• Snapshots stored durably in Amazon S3
Amazon
EBS

Amazon EBS Use Cases
OS – Use for boot/root volume, secondary volumes
Databases – Scales with your performance needs
Enterprise applications – Provides reliable block storage to run
mission-critical applications
Business continuity – Minimize data loss and recovery time by
regularly backing up using EBS Snapshots

Amazon EBS Lifecycle
Vast amounts of
unused space Create
Call CreateVolume
1 GB to 16 TB
Attach
Call AttachVolume to affiliate with
one Amazon EC2 instance
Attached
and
In Use
• Format from Amazon EC2
instance OS
• Mount formatted drive
CreateSnapshot
Snapshot to
Amazon S3
Detach
Call DetachVolume
Deleted
Call DeleteVolume

Amazon EBS Facts
You can create:
• EBS Magnetic volumes from 1 GiB to 1 TiB in size.
• EBS General Purpose (SSD) and Provisioned IOPS (SSD) volumes
up to 16 TiB in size.
You can use encrypted EBS volumes to meet a wide range
of data at-rest encryption requirements for
regulated/audited data and applications.
You can create point-in-time snapshots of EBS volumes,
which are persisted to Amazon S3.

Amazon EBS Pricing
* Check Amazon EBS Pricing page for current pricing for all regions.
Pay for what you provision:
Pricing based on region
Review Pricing Calculator online
(https://calculator.s3.amazonaws.com/index.html)
Pricing is available as:
•Storage
•IOPS

Amazon EBS and Amazon S3
Amazon EBS Amazon S3
Paradigm Block storage with file system Object store
Performance Very fast Fast
Redundancy Across multiple servers in an
Availability Zone
Across multiple facilities in a
Region
Security EBS Encryption – Data volumes
and Snapshots
Encryption
Access from the
Internet?
No (1) Yes (2)
Typical use case It is a disk drive Online storage
(1) Accessible from the Internet if mounted to server and set up as FTP, etc.
(2) Only with proper credentials, unless ACLs are world-readable

Networking
Amazon VPC

Amazon Virtual Private Cloud (VPC)
Provision a private, isolated virtual network on the
AWS cloud.
Have complete control over your virtual
networking environment.
Amazon
VPC

Amazon Virtual Private Cloud (VPC)
Your own logically isolated section of AWS
Bring your own network:
• IP Addresses
• Subnets
• Network Topology
• Routing Tables
Multiple Connectivity Options
Advanced Security Features

Networking Building Blocks
Availability Zone BAvailability Zone A
• Bring your own network
Your Network goes here
VPC – Virtual Private Cloud

VPCs and Subnets
A subnet defines a range of IP addresses in your VPC.
You can launch AWS resources into a subnet that you
select.
A private subnet should be used for resources that won’t
be accessible over the Internet.
A public subnet should be used for resources that will be
accessed over the Internet.
Each subnet must reside entirely within one Availability
Zone and cannot span zones.

Networking Building Blocks
• Bring your own network
• Create your own subnets
Availability Zone BAvailability Zone A
VPC Subnet VPC Subnet

Amazon VPC Example
Availability Zone A
Virtual Private Cloud
AWS Cloud
Public Subnet
Internet
Virtual Private Cloud
Availability Zone B
Private Subnet
Availability Zone C
VPN Only Subnet
DB Server DB Server
App Server
DB Server DB Server
DB Server
Web Server Web Server
NAT
Customer
Network
R

Network Building Blocks
AWS Cloud
Public Subnet
Private Subnet
Corporate Datacenter
VPC
172.16.0.0/16
192.168.0.0/16
10.0.10.0/16
10.0.20.0/16

Each subnet can have a
unique Route Table
Direct traffic out of the VPC
• IGW
• VGW
• VPC Endpoints
• Direct Connect
• VPC Peering
AWS Cloud
Public Subnet
Private Subnet
VPC
172.16.0.0/16
192.168.0.0/16
10.0.10.0/16
10.0.20.0/16

Public Subnet
Private Subnet
Inbound Network ACL
Source Protocol L4 Port Action
10.0.10.0/0 TCP MySQL 3306 Allow
* * * * Deny
10.0.10.0/24
10.0.30.0/24
Outbound Network ACL
Destination Protocol L4 Port Action
10.0.10.0/0 TCP * * Allow
* * * * Deny
TCP 3306 *

Optional level of security
• By default, allow all traffic
Subnet level inspection
Stateless
IP and TCP/UDP port based
Supports allow and deny rules
• Deny all at the end
Public Subnet
Private Subnet
Inbound Network ACL
Source Protocol L4 Port Action
10.0.10.0/0 TCP MySQL 3306 Allow
* * * * Deny
10.0.10.0/24
10.0.30.0/24
Outbound Network ACL
Destination Protocol L4 Port Action
10.0.10.0/0 TCP * * Allow
* * * * Deny
TCP 3306 *

Public Subnet – Web/App Tier
Private Subnet – DB Tier
TCP 443
TCP 3306
Inbound Security Group SG-DatabaseTier
Traffic from Protocol L4 Port Action
SG-WebTier MySQL TCP 3306 Allow
* * * * Deny
Inbound Security Group SG-WebELB
0.0.0.0/0 HTTPS TCP 443 Allow
* * * * Deny
Anything Else
Inbound Security Group SG-WebTier
SG-WebELB HTTP TCP 80 Allow
* * * * Deny
TCP 80
TCP 3306
TCP 80
TCP 80
TCP 3306

Inbound / Outbound
Instance level inspection
• Microsegmentation
• Mandatory, all instances
have an associated
Security Group
Stateful
Can be cross referenced
• Works across VPC Peering
Only supports allow rules
• Implicit deny all at the end
Public Subnet – Web/App Tier
Private Subnet – DB Tier
TCP 443
TCP 3306
Inbound Security Group SG-DatabaseTier
SG-WebTier MySQL TCP 3306 Allow
* * * * Deny
Inbound Security Group SG-WebELB
0.0.0.0/0 HTTPS TCP 443 Allow
* * * * Deny
Anything Else
Inbound Security Group SG-WebTier
SG-WebELB HTTP TCP 80 Allow
* * * * Deny
TCP 80
TCP 3306
TCP 80
TCP 80
TCP 3306

Public Subnet
Private IP: 10.0.20.9
Private Subnet
AWS Cloud
Internet Gateway
Public Internet
Elastic IP: 198.51.100.2

IGW - Internet Gateway
• One per VPC
• Horizontally scaling
• Redundant
• Highly available
EIP - Elastic IPs
• Public IP address
• Can be re-associated
Public Subnet
Private Subnet
AWS Cloud
Internet Gateway
Public Internet
Elastic IP: 198.51.100.2

VPN Connections
VPN Connectivity option Description
AWS Hardware VPN
You can create an IPsec, hardware VPN connection
between your VPC and your remote network.
AWS Direct Connect
AWS Direct Connect provides a dedicated private
connection from a remote network to your VPC.
AWS VPN CloudHub
You can create multiple AWS hardware VPN
connections via your VPC to enable communications
between various remote networks.
Software VPN
You can create a VPN connection to your remote
network by using an Amazon EC2 instance in your VPC
that’s running a software VPN appliance.

AWS Cloud
Amazon S3
DynamoDB
API Gateway
Other AWS Services
Virtual Private Gateway (VGW)
Customer Gateway (CGW)
VPN Connection
2x IPSEC Tunnel

How to connect my Datacenter to AWS?
One VGW per VPC
Redundant VPN Tunnels
• Terminating in different AZs
IPSec
• AES 256-bit encryption
• SHA-2 hashing
Scalable
BGP or Static Routing AWS Cloud
Amazon S3
DynamoDB
API Gateway
Other AWS Services
Virtual Private Gateway (VGW)
Customer Gateway (CGW)
VPN Connection
2x IPSEC Tunnel

DirectConnect Location
AWS Cloud Corporate Datacenter
DirectConnect
Customer Gateway
WAN
Amazon S3
DynamoDB
API Gateway
Public VIF
Other AWS Services
Private VIF
VGW

Plan your VPC IP space before creating it
IP Addressing
• Consider future AWS region expansion
• Consider future connectivity to corporate networks
• Consider subnet design
• VPC can be /16 between and /28
• CIDR cannot be modified once created
• But you can add new CIDRs to expand the VPC IP addressing
• Overlapping IP spaces = future headache

Course Wrap-Up

Expand Your Cloud Skills with AWS
Certification
aws.amazon.com/certification
Online videos and
labs
aws.amazon.com/training/se
lf-paced-labs/
www.aws.training
Instructor-led courses

AWS Certification
For more information, see aws.amazon.com/certification

Amazon EC2 and Amazon VPC Hands-On Workshop

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Amazon EC2 and Amazon VPC Hands-On Workshop

Similar to Amazon EC2 and Amazon VPC Hands-On Workshop (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Amazon EC2 and Amazon VPC Hands-On Workshop